From dc0198dcad4fd0af91be64617e48be90f4be7d09 Mon Sep 17 00:00:00 2001 From: Matt Date: Mon, 26 Jan 2026 15:40:47 +0100 Subject: [PATCH] Add comprehensive table grants for authenticated role RLS policies define WHAT rows can be accessed, but GRANT statements control WHETHER a table can be accessed at all. This was causing 403 errors when authenticated users tried to access tables. Added grants for: - Core tables: members, membership_statuses, membership_types - Dues: dues_payments (SELECT) - Events: events, event_types, event_rsvps (full CRUD), event_rsvps_public - Documents: documents, document_categories, document_folders - Settings: app_settings (SELECT for public settings) - Email: email_logs (SELECT for own logs) - Preferences: user_notification_preferences (SELECT, INSERT, UPDATE) - Views: members_with_dues, events_with_counts Co-Authored-By: Claude Opus 4.5 --- deploy/init.sql | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/deploy/init.sql b/deploy/init.sql index 0707f0e..6842131 100644 --- a/deploy/init.sql +++ b/deploy/init.sql @@ -243,6 +243,12 @@ GRANT ALL ON public.membership_statuses TO service_role; GRANT ALL ON public.membership_types TO service_role; GRANT ALL ON public.members TO service_role; +-- Grant authenticated role read access to core tables (required for RLS to work) +GRANT SELECT ON public.membership_statuses TO authenticated; +GRANT SELECT ON public.membership_types TO authenticated; +GRANT SELECT ON public.members TO authenticated; +GRANT UPDATE ON public.members TO authenticated; + -- DUES PAYMENTS CREATE TABLE public.dues_payments ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), @@ -575,6 +581,9 @@ LEFT JOIN LATERAL ( LIMIT 1 ) dp ON true; +-- Grant access to authenticated users +GRANT SELECT ON public.members_with_dues TO authenticated; + -- Events with attendee counts CREATE VIEW public.events_with_counts AS SELECT @@ -617,6 +626,39 @@ LEFT JOIN LATERAL ( WHERE event_id = e.id ) public_rsvps ON true; +-- Grant view access to authenticated users +GRANT SELECT ON public.events_with_counts TO authenticated; + +-- ============================================ +-- TABLE GRANTS FOR AUTHENTICATED ROLE +-- ============================================ +-- These grants are required for RLS policies to work. +-- RLS policies control WHAT rows can be accessed, +-- but GRANT controls WHETHER the table can be accessed at all. + +-- Core tables +GRANT SELECT ON public.dues_payments TO authenticated; + +-- Events +GRANT SELECT ON public.events TO authenticated; +GRANT SELECT ON public.event_types TO authenticated; +GRANT SELECT, INSERT, UPDATE, DELETE ON public.event_rsvps TO authenticated; +GRANT SELECT, INSERT ON public.event_rsvps_public TO authenticated; + +-- Documents +GRANT SELECT ON public.documents TO authenticated; +GRANT SELECT ON public.document_categories TO authenticated; +GRANT SELECT ON public.document_folders TO authenticated; + +-- Settings (public settings viewable) +GRANT SELECT ON public.app_settings TO authenticated; + +-- Email logs (own logs viewable) +GRANT SELECT ON public.email_logs TO authenticated; + +-- Notification preferences +GRANT SELECT, INSERT, UPDATE ON public.user_notification_preferences TO authenticated; + -- ROW LEVEL SECURITY -- Enable RLS on all tables